Thursday, 2018-10-11

« Wednesday, 2018-10-10 Index Friday, 2018-10-12 »
*** devx has quit IRC00:11
*** aning has quit IRC00:11
*** aning has joined #openstack-keystone00:12
*** gyee has quit IRC00:15
*** devx has joined #openstack-keystone00:16
*** rcernin has quit IRC00:29
*** zhurong has joined #openstack-keystone00:49
*** zhurong has quit IRC00:50
*** Dinesh_Bhor has joined #openstack-keystone01:21
wxy-xiyuanlbragstad: I'll add sdk patch today.01:23
*** gagehugo_ has quit IRC01:24
*** gagehugo has joined #openstack-keystone01:25
kmallochopefully i'll have the last bits of webob shredded from keystone soon (last vestiges)01:28
kmallocit's so close...01:28
kmalloci can taste it01:28
openstackgerritMerged openstack/keystone master: Convert auth to flask native dispatching  https://review.openstack.org/60346101:52
*** rcernin has joined #openstack-keystone02:01
lbragstadwxy-xiyuan cool - happy to review whenever02:20
*** dave-mccowan has quit IRC02:21
*** itlinux_ has joined #openstack-keystone02:28
*** itlinux has quit IRC02:31
openstackgerritMerged openstack/keystone master: Auth flask conversion cleanup  https://review.openstack.org/60875602:34
*** felipemonteiro has joined #openstack-keystone02:38
*** lbragstad has quit IRC02:40
tonyblbragstad, gagehugo: Yeah the bump of oslo.log (and other libraries) is a policy violation.  However I admit I'm a little on the fence about it as clearly the version we're listing are bogus so anyone using thin will be broken.03:53
tonyblbragstad, gagehugo: Perhaps we can look at the chnage again and see which, if any, are testing only issues or issues only when certain config options are set03:54
*** shyamb has joined #openstack-keystone03:57
*** felipemonteiro has quit IRC04:11
*** felipemonteiro has joined #openstack-keystone04:17
*** shyamb has quit IRC04:24
*** shyamb has joined #openstack-keystone04:35
*** felipemonteiro has quit IRC04:41
*** shyamb has quit IRC04:53
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780705:04
*** shyamb has joined #openstack-keystone05:05
*** hoonetorg has quit IRC05:09
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780705:12
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780705:15
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403805:18
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403805:21
*** aojea has joined #openstack-keystone05:33
*** aojea has quit IRC05:42
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403805:52
*** pcaruana has joined #openstack-keystone06:01
*** shyamb has quit IRC06:24
*** dims has quit IRC06:29
*** dims has joined #openstack-keystone06:33
*** jrist has joined #openstack-keystone06:33
*** dims has quit IRC06:38
*** dims has joined #openstack-keystone06:39
*** shyamb has joined #openstack-keystone06:50
*** rcernin has quit IRC07:01
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780707:04
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403807:04
*** jrist has quit IRC07:09
*** errr has joined #openstack-keystone07:31
*** shyamb has quit IRC07:43
*** Dinesh_Bhor has quit IRC08:03
errrIm trying to map federated users to local ones. I have the following mapping file: https://gist.github.com/michaelrice/67dc4cce606dc208d45482b54060ac76 and testing with the mapping engine it seems like it would work, but when I log in I get: Could not map any federated user properties to identity values. Check debug logs or the mapping used for additional details.08:17
errrDo I have my mapping file created wrong?08:18
*** shyamb has joined #openstack-keystone08:27
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remaining cases of MappingEngineTester  https://review.openstack.org/60691208:33
*** mvkr has quit IRC08:38
cmurphyerrr: did you check the debug logs? there should be a few lines in there about what the mapped values came out to08:38
openstackgerritMerged openstack/keystone master: Replace openSUSE experimental check with newer version  https://review.openstack.org/60946508:39
errrcmurphy: as in keystone.log?08:39
cmurphyerrr: yes08:39
cmurphywith debug=true in keystone.conf08:40
cmurphypossibly insecure_debug=true too but i don't think that's necessary for those mapping engine logs08:40
errrI think I just have insecure_debug enabled08:40
cmurphyyou need debug too, one doesn't imply the other08:41
errrcmurphy: what am I looking for in here. Now there is so much output.08:44
cmurphyheh08:46
cmurphylet me check08:46
errrthanks08:50
cmurphyerrr: http://paste.openstack.org/show/731881/08:51
cmurphythe top half is the assertion values and the bottom half is the mapping08:51
errrthere is no "mapped_properties" entry for this user08:53
errrthe assertion data is there for that user, but not the mapped_properties08:54
errrwell now its working. I didnt change anything.. wtf08:57
openstackgerritVishakha Agarwal proposed openstack/keystone master: Fix wrong URL of keystone-specs  https://review.openstack.org/60962908:57
cmurphyerrr: magic08:58
errr ¯\_(ツ)_/¯08:58
errrso is there a way to disable to local login abilities for users I map via federation?09:00
cmurphyyou could make sure the local users don't have passwords set09:02
errrok09:02
errrthanks for the help :)09:02
cmurphyyw :)09:02
*** mvkr has joined #openstack-keystone09:09
*** nicolasbock has quit IRC09:12
*** jistr is now known as jistr|call09:12
*** Dinesh_Bhor has joined #openstack-keystone09:14
*** Dinesh_Bhor has quit IRC09:28
*** shyamb has quit IRC09:34
*** shyamb has joined #openstack-keystone09:34
*** shyamb has quit IRC09:39
*** shyamb has joined #openstack-keystone09:42
*** imacdonn has quit IRC09:52
*** imacdonn has joined #openstack-keystone09:53
*** Dinesh_Bhor has joined #openstack-keystone10:08
*** dmellado has quit IRC10:17
*** shyamb has quit IRC10:35
*** jistr|call is now known as jistr11:00
*** shyamb has joined #openstack-keystone11:01
*** shyamb has quit IRC11:06
*** Emine has joined #openstack-keystone11:13
*** belmorei_ has joined #openstack-keystone11:14
*** shyamb has joined #openstack-keystone11:14
*** belmoreira has quit IRC11:17
*** Dinesh_Bhor has quit IRC11:26
*** belmorei_ has quit IRC11:36
*** aojea has joined #openstack-keystone11:40
*** Dinesh_Bhor has joined #openstack-keystone11:44
*** Dinesh_Bhor has quit IRC11:45
*** shyamb has quit IRC11:45
*** shyamb has joined #openstack-keystone11:45
*** dave-mccowan has joined #openstack-keystone12:06
*** dmellado has joined #openstack-keystone12:10
gagehugoo/12:12
*** dave-mccowan has quit IRC12:19
*** aojea has quit IRC12:55
*** aojea has joined #openstack-keystone12:55
hrybackigagehugo: that balance is kmalloc ;)]12:56
*** aojea has quit IRC13:00
*** shyamb has quit IRC13:01
*** dims has quit IRC13:12
*** dims has joined #openstack-keystone13:14
*** felipemonteiro has joined #openstack-keystone13:17
*** dims has quit IRC13:19
*** lbragstad has joined #openstack-keystone13:31
*** ChanServ sets mode: +o lbragstad13:31
*** jrist has joined #openstack-keystone13:33
*** aojea has joined #openstack-keystone13:36
*** felipemonteiro has quit IRC13:44
aningQuestion about unique_last_password_count in keystone.conf ... if it is set to 3, I expect keystone keep the past 3 passwords in DB, is that right?13:58
aningIn my keystone, I set it to 2, but I saw 4 past passwords in "password" table, how come?14:00
lbragstadaning keystone only stores the hashes - but let me see if i can recreate14:03
aninglbragstad: well in my deployment the restriction to renew old passwords doesn't work14:05
aninglbragstad: right Im aware that only passwords are stored, and they are hashed by bcrypt.14:06
aninglbragstad: only password hash14:06
*** aojea has quit IRC14:07
lbragstadi just rotated passwords and I have my unique_last_password_count set to 214:12
*** mvkr has quit IRC14:12
lbragstadbut i only see 3 password hashes in the password table14:13
lbragstadif i continue changing my password to unique passwords, the oldest password hash is cleaned up from the database14:14
lbragstadthere is code in the sql driver to pull only the most recent hashes based on the configuration option14:16
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/sql.py#n23414:17
lbragstaddoes that help answer your question aning?14:17
*** mchlumsky has joined #openstack-keystone14:18
aninglbragstad: if you set to 2, I think keystone only need to store 2.14:18
aninglbragstad: actually we need to store only 114:18
lbragstadis that due to a security requirement?14:20
*** jrist has quit IRC14:20
aninglbragstad: because if the count is 2, that means you can't reuse the past 1 previous password.14:20
lbragstadif the count is two in the database?14:21
aninglbragstad: no, it's not a security requirement, just wondering why we store more than enough.14:21
aningno, is the unique_last_password_count is set to 214:21
*** dims has joined #openstack-keystone14:22
*** knikolla has joined #openstack-keystone14:22
lbragstadif you set unique_last_password_count to 2 you should be able to use the password you just used14:22
aninglbragstad: BTW we are on PIKE14:23
lbragstadshouldn't*14:23
lbragstadok - good to know14:23
aninglbragstad: right, but why we need to store 2 passwords then?14:23
lbragstadbecause keystone needs to be able to verify the password your trying to use doesn't match the last two used14:24
aninglbragstad: we only need to store the password I just used.14:24
aninglbragstad: we are doing some bean counting here :)14:25
lbragstadbean counting is always fun14:25
lbragstadaning so what's your policy on passwords? you just want to make sure users can't use the password they just used?14:26
aninglbragstad: right14:26
lbragstadif i'm a user in your deployment, i should be able to change my password from `password` -> `new_pass` -> `password`?14:26
aningI want the user NOT able to reuse the past 2 previous passwords, meaning the user shouldn't be able to do what you said.14:28
lbragstadok14:28
aningMy understanding is that I need to set unique_last_password_count = 314:28
aningsince unique_last_password_count actually include the one the user want to change to.14:29
lbragstadso you want to be able to have users change passwords from `password1` -> `password2` -> `password3` -> `password1`?14:29
aningNeed to rush to a meeting and will be back in half hour.14:29
lbragstadok14:30
*** dave-mccowan has joined #openstack-keystone14:31
lbragstadaning for when you get back, i was able to set unique_last_password_count = 2 and achieved the outcome you wanted14:33
lbragstadthere are three records in the keystone.password table because it stores both old passwords and the current password14:33
lbragstadif you're looking at the database, you can tell which one is the current one in use by the expires_at and expires_at_int columes14:34
lbragstadthose get set when a password is invalidated by a new password14:34
lbragstadin my test i started with `password1`, changed it to `password2` and then to `password3` before I could change it back to `password1`14:35
*** dims has quit IRC14:43
*** dims has joined #openstack-keystone14:48
*** openstackgerrit has quit IRC14:58
*** openstackgerrit has joined #openstack-keystone14:58
*** aojea has joined #openstack-keystone14:59
aninglbragstad: Thanks for the experiment. I think there might be an issue in our deployment.15:02
aninglbragstad: BTW, you are testing on the latest right?15:03
*** lbragstad has quit IRC15:04
*** lbragstad has joined #openstack-keystone15:05
*** ChanServ sets mode: +o lbragstad15:05
*** gyee has joined #openstack-keystone15:08
*** lbragstad has quit IRC15:18
*** lbragstad has joined #openstack-keystone15:19
*** ChanServ sets mode: +o lbragstad15:19
*** openstackgerrit has quit IRC15:22
*** mugsie has joined #openstack-keystone15:23
*** mvkr has joined #openstack-keystone15:27
kmalloco/15:29
kmalloc\o15:29
kmalloc\o/15:30
*** aojea has quit IRC15:31
*** openstackgerrit has joined #openstack-keystone15:35
openstackgerritguang-yee proposed openstack/keystone master: add unit tests for healthcheck  https://review.openstack.org/60954915:35
*** jrist has joined #openstack-keystone15:50
*** dklyle has quit IRC15:53
*** Emine has quit IRC15:55
*** dklyle has joined #openstack-keystone15:58
*** jrist has quit IRC15:59
*** aojea has joined #openstack-keystone16:02
*** mvkr has quit IRC16:16
*** aojea has quit IRC16:34
*** dmellado has quit IRC16:34
*** dklyle has quit IRC17:04
*** aojea has joined #openstack-keystone17:04
*** mbuil has quit IRC17:13
*** sayalilunkad has quit IRC17:15
*** sayalilunkad has joined #openstack-keystone17:19
*** etp has joined #openstack-keystone17:31
*** dklyle has joined #openstack-keystone17:35
*** aojea has quit IRC17:36
*** andreykurilin has quit IRC17:50
*** andreykurilin has joined #openstack-keystone17:51
*** mvkr has joined #openstack-keystone18:00
*** openstackgerrit has quit IRC18:20
*** dmellado has joined #openstack-keystone18:27
*** openstackstatus has quit IRC18:28
*** openstackstatus has joined #openstack-keystone18:29
*** ChanServ sets mode: +v openstackstatus18:29
*** openstackgerrit has joined #openstack-keystone18:43
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Add guidelines for naming policies  https://review.openstack.org/60621418:43
*** dave-mccowan has quit IRC18:54
kmalloclbragstad: next flask patch i'm posting converts exception handling to flask native and removes the last non-authtoken middleware18:55
kmallocthe final patch will be migrating authcontext to internal-load only (no stevedore)18:55
kmallocand then i'm whacking away at the old wsgi code so that we're free and clear of the legacy stuff (and closing the bug)18:55
kmalloci'll open a new bug specifically for authcontext to be ... smarter18:56
kmallocand less webob specific (or at least not need to be as heavily modified in tree)18:56
*** dave-mccowan has joined #openstack-keystone18:58
*** dave-mccowan has quit IRC19:03
*** dave-mccowan has joined #openstack-keystone19:04
lbragstadnice19:06
lbragstadthat sounds good19:06
kmalloclbragstad: https://bugs.launchpad.net/keystonemiddleware/+bug/179744619:08
openstackLaunchpad bug 1797446 in keystonemiddleware "Make AuthContextMiddleware more flask friendly" [Wishlist,Triaged]19:08
lbragstadcool19:08
kmallocthis is winding down nicely19:09
kmallocmaybe another 3-5 more patches and flask is done.19:09
kmallocdone(tm)19:09
*** aojea has joined #openstack-keystone19:12
openstackgerritMorgan Fainberg proposed openstack/keystone master: Register exceptions with a Flask Error Handler  https://review.openstack.org/60979619:39
*** aojea has quit IRC19:46
kmalloclbragstad: ooh a bunch of our tests assume we have the URL Normalizing middleware in place20:17
kmalloc(basically strip the trailing '/' or rewrite '' to '/'20:18
kmalloc*facepalm*20:18
*** clarkb has joined #openstack-keystone20:19
lbragstadhmm20:20
lbragstadwe should have the opposite implemented, rigth?20:20
lbragstadfwiw - i went through all the flask patches20:21
lbragstadooooo20:21
lbragstadzuul.openstack.org got a facelift20:21
openstackgerritMorgan Fainberg proposed openstack/keystone master: Make Request Logging a little better  https://review.openstack.org/60980420:22
openstackgerritMorgan Fainberg proposed openstack/keystone master: Internally defined middleware don't use stevedore  https://review.openstack.org/60980520:22
*** aojea has joined #openstack-keystone20:39
*** pcaruana has quit IRC20:40
kmalloclbragstad: test_wsgi will go away shortly20:41
kmalloclbragstad: i need to finish the last couple patches here and we're set.20:41
lbragstadsweet20:45
kmallocand i responded to your other comment.20:46
kmallocon the set unenforced ok20:46
kmalloci'm almost done with all the cleanup that will mean we just start whacking away at the code that is from webob-era20:46
kmallocand we'll be 100% flask (except AuthContextMW)20:46
openstackgerritMorgan Fainberg proposed openstack/keystone master: Internally defined middleware don't use stevedore  https://review.openstack.org/60980520:49
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert Normalizing filter to flask native Middleware  https://review.openstack.org/60981520:49
kmalloclbragstad: annnnnd here we go, last patch for flaskification before just massive cleanup20:55
kmalloclbragstad: phew... we are... there20:55
lbragstadnice :)20:55
kmallocthe cleanup patch will close the bug.20:56
kmallocmy brain hurts from this still btw.20:56
kmallocit's been a brutal cleanup20:56
*** aojea has quit IRC21:09
*** dave-mccowan has quit IRC21:28
*** dave-mccowan has joined #openstack-keystone21:33
kmalloclbragstad: ahhh the params stuff (openstack.params) was old webob legacy stuff21:37
kmalloclbragstad: no wonder it wasn't easy to dig up21:37
lbragstadmmm21:37
kmallocbasically it was how we passed param stuff from one api down to the next. largely not needed once the API stopped being "configurable" on what could be enabled / disabled21:37
kmallocso users could pass something down that could be acted on by say projects21:37
kmalloci think it's old old old old paste-ini related ick21:38
kmalloclike not something we used past essex era21:38
kmallocbut we carried forevere.21:38
*** johnsom has joined #openstack-keystone21:40
johnsomIs the keystone middleware audit code dead?21:47
johnsomIt appears to be mis-matching the services.21:50
lbragstadjohnsom have an example/21:51
johnsomlbragstad I'm always getting "keystone" as the target. It looks like this code: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/audit/_api.py#L270 is trying to match the service by the endpoint IP, which isn't going to work with the stacked endpoints.21:53
johnsomhttps://www.irccloud.com/pastebin/nOfRd6xB/21:53
kmallocjohnsom: it might be very much out of date21:54
johnsomlbragstad Mostly I didn't want to spend a bunch of time figuring out if I did something wrong for finding out if this is still a thing...  A lot of the audit maps looked pretty out of date21:54
kmallocit seems to be mostly unmaintained.21:54
kmallocthough i don't think that is because it isn't wanted21:55
kmallocjust no one has stepped up to help keep it going (and add full end to end testing)(21:55
kmalloclbragstad: the big test. running unit tests with all the old code ripped out21:55
kmalloclbragstad: lets see if it works.  feeling good so far.21:56
kmalloclbragstad: OMG, clean py27 test run, running py35 now. and one more bit of shuffle code and we're free and clear of flaskification21:59
*** aojea has joined #openstack-keystone22:01
lbragstad0.022:01
lbragstadit can't be that easy, can it?22:01
* lbragstad waits to get kicked by someone22:01
kmalloclbragstad: dude, you're going to love this last patch22:05
kmallocok... here we go, last code shuffle done... one more pass on unit tests...22:08
openstackgerritayoung proposed openstack/keystone master: Re-enable REMOTE_USER tests  https://review.openstack.org/60983422:09
openstackgerritMerged openstack/keystone master: add unit tests for healthcheck  https://review.openstack.org/60954922:10
kmalloclbragstad: i.. i think this is going to pass....22:11
kmalloclbragstad: also hah "that easy"22:11
* kmalloc eyes https://review.openstack.org/#/q/status:merged+project:openstack/keystone+branch:master+topic:bug/177650422:12
kmallocerm22:12
johnsomYeah, ok, so it assumes unique IP:Ports for each endpoint. If I bypass that everything starts working as it should.22:12
kmallocthat one: https://review.openstack.org/#/q/project:openstack/keystone+branch:master+topic:bug/177650422:15
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move AuthContextMiddleware  https://review.openstack.org/60983622:19
openstackgerritMorgan Fainberg proposed openstack/keystone master: Flask comment/docstring cleanup  https://review.openstack.org/60983722:19
openstackgerritMorgan Fainberg proposed openstack/keystone master: Cleanup test_wsgi  https://review.openstack.org/60983822:19
openstackgerritMorgan Fainberg proposed openstack/keystone master: Remove pre-flask legacy code  https://review.openstack.org/60983922:19
*** openstackgerrit has quit IRC22:19
*** openstackgerrit has joined #openstack-keystone22:19
kmalloclbragstad: ^ 609839. Closes the flask bug.22:19
kmalloclbragstad: +213, -164222:20
kmallochehehe22:20
johnsomnice22:20
kmalloc#success Keystone Flask Conversion Final Patch submitted to gerrit.22:21
openstackstatuskmalloc: Added success to Success page (https://wiki.openstack.org/wiki/Successes)22:21
kmalloclbragstad: ~99 commits.22:22
kmalloclbragstad: this might take the record for volume of code change for a single "feature" / cleanup.22:22
*** rcernin has joined #openstack-keystone22:23
kmalloclbragstad, cmurphy, gagehugo, hrybacki, ayoung, knikolla, wxy-xiyuan, rodrigods: https://review.openstack.org/#/c/609839/ final flask patch (in the stack)22:24
kmallocshould be 100% ready for eyes up the outstanding patches.22:24
kmallochttps://review.openstack.org/#/q/(topic:bug/1776504+OR+topic:flaskification)+(status:open+OR+status:merged)22:25
openstackgerritMorgan Fainberg proposed openstack/keystone master: Remove paste-ini  https://review.openstack.org/60984122:28
*** openstackstatus has quit IRC22:28
*** openstackstatus has joined #openstack-keystone22:29
*** ChanServ sets mode: +v openstackstatus22:29
*** aojea has quit IRC22:33
kmalloclbragstad: 93 commits, +14147 lines, -12999 lines22:49
*** spotz has quit IRC23:17
*** mattoliverau has quit IRC23:18
*** aojea has joined #openstack-keystone23:26
*** spotz has joined #openstack-keystone23:55
*** aojea has quit IRC23:57
*** lbragstad has quit IRC23:59
« Wednesday, 2018-10-10 Index Friday, 2018-10-12 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!